Update to 2021-12-01 19:13

roles/phpmyadmin/defaults/main.yml

@@ -0,0 +1,74 @@
+---
+
+# Version to deploy
+pma_version: 5.1.1
+# ID of the instance. Several instances can be installed on the same server
+# they must have different ID
+pma_id: "1"
+# URL from where the archive will be downloaded
+pma_archive_url: https://files.phpmyadmin.net/phpMyAdmin/{{ pma_version }}/phpMyAdmin-{{ pma_version }}-all-languages.zip
+# Expected sha256 of the archive, to verify the download
+pma_archive_sha256: 78a5d93621f9fdfc221a530705025dc79c1abc7a4d6a940a9d0a9a3719d0554c
+# Should ansible handle upgrades. If False, then only the initial install will be done
+pma_manage_upgrade: True
+# Where phpMyAdmin will be installed
+pma_root_dir: /opt/phpmyadmin_{{ pma_id }}
+# phpMyAdmn uses a DB to store queries. Here are the param for this DB
+# MySQL DB user
+pma_db_user: pma_{{ pma_id }}
+# MySQL DB name
+pma_db_name: pma_{{ pma_id }}
+# MySQL DB server
+pma_db_server: "{{ mysql_server | default('localhost') }}"
+# MySQL db password
+# If Not defined, a random one will be created and stored under {{ pma_root_dir }}/meta/ansible_dbpass
+# pma_db_pass: 
+
+# If defined, will use this specific FPM pool, which must exist.
+# Else, a PHP pool will be configured
+# pma_php_fpm_pool: pma
+# PHP version to use for the PHP pool
+pma_php_version: 80
+# Unix account under which the PHP pool will run. The user will be created
+pma_php_user: php-pma_{{ pma_id }}
+
+# Env vars which contain the login of the current user
+# This can be used for example with Lemonldap::NG protecting phpMyAdmin
+pma_sso_user_fields:
+  - REMOTE_USER
+  - REDIRECT_REMOTE_USER
+# Same for the groups the user is member of
+pma_sso_groups_fields: []
+# pma_sso_groups_fields
+#   - HTTP_USER_GROUPS
+
+# Optional list of IP/CIDR having access to phpMyAdmin
+# pma_src_ip:
+#   - 127.0.0.1
+
+# If defined, an alias (eg /phpmyadmin) will be created
+# If not defined, you'll have to create a vhost pointing at {{ pma_root_dir }}/web
+# for phpMyAdmin to be reachable
+# pma_alias: phpmyadmin
+
+# List of database servers
+pma_servers: []
+# pma_servers:
+#   - host: localhost
+#     port: 3306
+#     socket: /var/lib/mysql/mysql.sock
+#     auth_type: signon
+
+# Dict of phpMyAdmin users and their corresponding MySQL credentials
+pma_sso_users: []
+# pma_sso_users:
+#   - user: dani
+#     sql_login: admin
+#     sql_password: p@ssw0rd
+
+# Same for groups
+pma_sso_groups: []
+# pma_sso_groups:
+#   - group: DB_Admins
+#     sql_login: admin
+#     sql_password: s3cr3t.

roles/phpmyadmin/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- include: ../httpd_common/handlers/main.yml
+- include: ../httpd_php/handlers/main.yml

roles/phpmyadmin/meta/main.yml

@@ -0,0 +1,7 @@
+---
+
+allow_duplicates: True
+dependencies:
+  - role: httpd_php
+  - role: mysql_server
+    when: pma_db_server in ['localhost','127.0.0.1']

roles/phpmyadmin/tasks/archive_post.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ pma_root_dir }}"
+    - version: "{{ pma_current_version }}"
+  tags: pma
+

roles/phpmyadmin/tasks/archive_pre.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/webapps_archive.yml
+  vars:
+    - root_dir: "{{ pma_root_dir }}"
+    - version: "{{ pma_current_version }}"
+    - db_name: "{{ pma_db_name }}"
+  tags: pma

roles/phpmyadmin/tasks/cleanup.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  with_items:
+    - "{{ pma_root_dir }}/tmp/phpMyAdmin-{{ pma_version }}-all-languages.zip"
+    - "{{ pma_root_dir }}/tmp/phpMyAdmin-{{ pma_version }}-all-languages"
+  tags: pma
+

roles/phpmyadmin/tasks/conf.yml

@@ -0,0 +1,17 @@
+---
+
+- import_tasks: ../includes/webapps_webconf.yml
+  vars:
+    - app_id: pma_{{ pma_id }}
+    - php_version: "{{ pma_php_version }}"
+    - php_fpm_pool: "{{ pma_php_fpm_pool | default('') }}"
+  tags: pma
+
+- name: Deploy sso scripts
+  template: src=sso.php.j2 dest={{ pma_root_dir }}/web/sso.php group={{ pma_php_user }} mode=640
+  tags: pma
+
+- name: Deploy phpMyAdmin config
+  template: src=config.inc.php.j2 dest={{ pma_root_dir }}/web/config.inc.php group={{ pma_php_user }} mode=640
+  tags: pma
+

roles/phpmyadmin/tasks/directories.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Create directory structure
+  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ pma_root_dir }}"
+    - dir: "{{ pma_root_dir }}/web"
+    - dir: "{{ pma_root_dir }}/tmp"
+    - dir: "{{ pma_root_dir }}/sessions"
+    - dir: "{{ pma_root_dir }}/cache"
+    - dir: "{{ pma_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ pma_root_dir }}/data"
+  tags: pma

roles/phpmyadmin/tasks/facts.yml

@@ -0,0 +1,37 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: pma
+
+# Detect current version (if any) and set install_mode (to none, upgrade or install)
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ pma_root_dir }}"
+        - version: "{{ pma_version }}"
+    - set_fact: pma_install_mode={{ (install_mode == 'upgrade' and not pma_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: pma_current_version={{ current_version | default('') }}
+  tags: pma
+
+# Generate a random key for cookie signing
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ pma_root_dir }}/meta/key.txt"
+    - set_fact: pma_key={{ rand_pass }}
+  tags: pma
+
+# Generate a DB password if not defined
+- when: pma_db_pass is not defined
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{pma_root_dir }}/meta/ansible_dbpass"
+    - set_fact: pma_db_pass={{ rand_pass }}
+  tags: pma

roles/phpmyadmin/tasks/install.yml

@@ -0,0 +1,54 @@
+---
+
+- name: Install dependencies
+  yum: name={{ pma_packages }}
+  tags: pma
+
+- when:  pma_install_mode != 'none'
+  block:
+
+    - name: Download phpMyAdmin
+      get_url:
+        url: "{{ pma_archive_url }}"
+        dest: "{{ pma_root_dir }}/tmp/"
+        checksum: "sha256:{{ pma_archive_sha256 }}"
+    
+    - name: Extract pma archive
+      unarchive:
+        src: "{{ pma_root_dir }}/tmp/phpMyAdmin-{{ pma_version }}-all-languages.zip"
+        dest: "{{ pma_root_dir }}/tmp"
+        remote_src: yes
+    
+    - name: Move files to the correct directory
+      synchronize:
+        src: "{{ pma_root_dir }}/tmp/phpMyAdmin-{{ pma_version }}-all-languages/"
+        dest: "{{ pma_root_dir }}/web/"
+        compress: False
+        delete: True
+      delegate_to: "{{ inventory_hostname }}"
+
+  tags: pma
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ pma_db_name }}"
+    - db_user: "{{ pma_db_user }}"
+    - db_server: "{{ pma_db_server }}"
+    - db_pass: "{{ pma_db_pass }}"
+  tags: pma
+
+- name: Prepare SQL file to create tables
+  replace: path={{ pma_root_dir }}/web/sql/create_tables.sql regexp='phpmyadmin' replace={{ pma_db_name }}
+  tags: pma
+
+- name: Create tables
+  mysql_db:
+    name: "{{ pma_db_name }}"
+    state: import
+    target: "{{ pma_root_dir }}/web/sql/create_tables.sql"
+    login_host: "{{ pma_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when: db_created.changed
+  tags: pma
+

roles/phpmyadmin/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: pma_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: archive_post.yml
+  when: pma_install_mode == 'upgrade'
+- include: cleanup.yml
+- include: write_version.yml
+

roles/phpmyadmin/tasks/user.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: "{{ pma_php_user }}"
+    - comment: "PHP FPM for pma {{ pma_id }}"
+  tags: pma
+

roles/phpmyadmin/tasks/write_version.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/webapps_post.yml
+  vars:
+    - root_dir: "{{ pma_root_dir }}"
+    - version: "{{ pma_version }}"
+  tags: pma

roles/phpmyadmin/templates/config.inc.php.j2

@@ -0,0 +1,36 @@
+<?php
+/*
+{{ ansible_managed }}
+*/
+
+$cfg['blowfish_secret'] = '{{ pma_key }}';
+$i = 0;
+
+{% for server in pma_servers | default([]) %}
+$i++;
+$cfg['Servers'][$i]['auth_type'] = '{{ server.auth_type | default('cookie') }}';
+$cfg['Servers'][$i]['host'] = '{{ server.host | default(mysql_server) }}';
+{% if server.auth_type == 'signon' %}
+$cfg['Servers'][$i]['SignonURL'] = '/sso.php';
+$cfg['Servers'][$i]['SignonSession'] = 'PmaSignonSession';
+{% endif %}
+{% if server.host | default('localhost') == 'localhost' %}
+$cfg['Servers'][$i]['socket'] = '{{ server.socket | default('/var/lib/mysql/mysql.sock') }}';
+{% endif %}
+{% if server.port is defined %}
+$cfg['Servers'][$i]['port'] = '{{ server.port }}';
+{% endif %}
+$cfg['Servers'][$i]['compress'] = false;
+$cfg['Servers'][$i]['AllowNoPassword'] = false;
+
+{% endfor %}
+
+$cfg['UploadDir'] = '{{ pma_root_dir }}/tmp';
+$cfg['TempDir'] = '{{ pma_root_dir }}/tmp';
+$cfg['SaveDir'] = '{{ pma_root_dir }}/data';
+
+$cfg['ShowAll'] = true;
+$cfg['SendErrorReports'] = 'never';
+$cfg['PmaNoRelation_DisableWarning'] = true;
+
+?>

roles/phpmyadmin/templates/httpd.conf.j2

@@ -0,0 +1,44 @@
+{% if pma_alias is defined %}
+Alias /{{ pma_alias }} {{ pma_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+ProxyTimeout 1800
+<Directory {{ pma_root_dir }}/web>
+  AllowOverride All
+  Options FollowSymLinks
+{% if pma_allowed_ip is defined %}
+  Require ip {{ pma_allowed_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ pma_php_fpm_pool | default('pma_' + pma_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+
+  <FilesMatch "(\.git.*|README|LICENSE|DCO|CONTRIBUTING\.md|ChangeLog|composer\..*|config(\.sample)?\.inc\.php)">
+    Require all denied
+  </FilesMatch>
+</Directory>
+<Directory {{ pma_root_dir }}/web/examples>
+  Require all denied
+</Directory>
+<Directory {{ pma_root_dir }}/web/libraries>
+  Require all denied
+</Directory>
+<Directory {{ pma_root_dir }}/web/sql>
+  Require all denied
+</Directory>
+<Directory {{ pma_root_dir }}/web/locales>
+  Require all denied
+</Directory>
+<Directory {{ pma_root_dir }}/web/setup>
+  Require all denied
+</Directory>
+<Directory {{ pma_root_dir }}/web/sql>
+  Require all denied
+</Directory>
+<Directory {{ pma_root_dir }}/web/vendor>
+  Require all denied
+</Directory>

roles/phpmyadmin/templates/perms.sh.j2

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+restorecon -R {{ pma_root_dir }}
+chown root:root {{ pma_root_dir }}
+chmod 700 {{ pma_root_dir }}
+chown -R root:root {{ pma_root_dir }}/meta
+chmod 700 {{ pma_root_dir }}/meta
+setfacl -R -k -b {{ pma_root_dir }}
+setfacl -m u:{{ pma_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ pma_root_dir }}
+chown -R root:root {{ pma_root_dir }}/web
+chown -R {{ pma_php_user }} {{ pma_root_dir }}/{tmp,sessions,cache}
+chmod 700 {{ pma_root_dir }}/{tmp,sessions,cache}
+find {{ pma_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ pma_root_dir }}/web -type d -exec chmod 755 "{}" \;
+chown root:{{ pma_php_user }} {{ pma_root_dir }}/web/{sso.php,config.inc.php}
+chmod 640 {{ pma_root_dir }}/web/{sso.php,config.inc.php}

roles/phpmyadmin/templates/php.conf.j2

@@ -0,0 +1,37 @@
+[pma_{{ pma_id }}]
+
+listen.owner = root
+listen.group = {{ httpd_user | default('apache') }}
+listen.mode = 0660
+listen = /run/php-fpm/pma_{{ pma_id }}.sock
+user = {{ pma_php_user }}
+group = {{ pma_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 30m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 512M
+php_admin_value[session.save_path] = {{ pma_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ pma_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ pma_root_dir }}/tmp
+php_admin_value[post_max_size] = 1024M
+php_admin_value[upload_max_filesize] = 1024M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ pma_root_dir }}
+php_admin_value[max_execution_time] = 1800
+php_admin_value[max_input_time] = 1800
+php_admin_value[max_input_vars] = 10000
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = off
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on
+

roles/phpmyadmin/templates/sso.php.j2

@@ -0,0 +1,59 @@
+<?php
+
+$login['admin'] = 'sqladmin';
+$password['admin'] = '{{ mysql_admin_pass | regex_replace('\'', '\\\'')}}';
+{% for user in pma_sso_users | default([]) %}
+$login['{{ user.user }}'] = '{{ user.sql_login }}';
+$password['{{ user.user }}'] = '{{ user.sql_password | regex_replace('\'', '\\\'') }}';
+{% endfor %}
+
+{% for group in pma_sso_groups | default([]) %}
+$g_login['{{ group.group }}'] = '{{ group.sql_login }}';
+$g_password['{{ group.group }}'] = '{{ group.sql_password | regex_replace('\'', '\\\'') }}';
+{% endfor %}
+
+{% for client in wh_clients | default([]) %}
+$g_login['Client_{{ client.name }}'] = '{{ client.name | regex_replace('\'', '\\\'') }}';
+$g_password['Client_{{ client.name }}'] = '{{ client.db_pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=client.name) | string))[9:27]) | regex_replace('\'', '\\\'') }}';
+{% endfor %}
+
+{% for field in pma_sso_user_fields %}
+if (!isSet($ssologin) && isSet($_SERVER['{{ field }}'])){
+    $ssologin = $_SERVER['{{ field }}'];
+}
+{% endfor %}
+{% for field in pma_sso_groups_fields %}
+if (!isSet($ssogroups) && isSet($_SERVER['{{ field }}'])){
+    $ssogroups = explode('; ', $_SERVER['{{ field }}']);
+}
+{% endfor %}
+
+if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin])) {
+    session_set_cookie_params(0, '/', '', 0);
+    session_name('PmaSignonSession');
+    session_start();
+    $_SESSION['PMA_single_signon_user'] = $login[$ssologin];
+    $_SESSION['PMA_single_signon_password'] = $password[$ssologin];
+    session_write_close();
+    header('Location: /index.php');
+    exit(0);
+} elseif (isSet($ssogroups)) {
+    foreach ($ssogroups as $group){
+        if (isSet($g_login[$group]) && isSet($g_password[$group])){
+            session_set_cookie_params(0, '/', '', 0);
+            session_name('PmaSignonSession');
+            session_start();
+            $_SESSION['PMA_single_signon_user'] = $g_login[$group];
+            $_SESSION['PMA_single_signon_password'] = $g_password[$group];
+            session_write_close();
+            header('Location: /index.php');
+            exit(0);
+        }
+    }
+}
+
+header('HTTP/1.0 403 Forbidden');
+echo 'Not logged in the SSO system';
+die;
+
+?>

roles/phpmyadmin/vars/RedHat-7.yml

@@ -0,0 +1,7 @@
+---
+
+pma_packages:
+  - unzip
+  - MySQL-python
+  - mariadb
+  - acl

roles/phpmyadmin/vars/RedHat-8.yml

@@ -0,0 +1,6 @@
+---
+
+pma_packages:
+  - unzip
+  - mariadb
+  - acl